Almost 35,000 PayPal consumer accounts fell sufferer to a latest credential-stuffing assault that uncovered private information probably for use to gas further, follow-on assaults.
PayPal submitted a breach disclosure that exposed that the assault started on Dec. 6, 2022 and continued till it was found on Dec. 20, 2002. Because of this, the names, addresses, Social Safety numbers, tax identification numbers, and/or dates of delivery for 34,942 customers have been uncovered.
“We’ve got no info suggesting that any of your private info was misused on account of this incident, or that there are any unauthorized transactions in your account,” PayPal defined in a letter despatched to affected customers. “There’s additionally no proof that your login credentials have been obtained from any PayPal programs.”
PayPal added that when the assault was found, account passwords have been reset, and extra safety controls have been put in place. The cost platform is providing Equifax identification theft monitoring for victims.
Stolen Credential Ecosystem
The credential-stuffing assault on PayPal was probably a means for menace actors to validate username and passwords they’d already obtained; now that they have been checked in opposition to breached PayPal accounts, these verified credentials shall be offered to a different menace actor, in response to Jason Kent, hacker in residence with Cequence Safety.
“The worth within the record is that it’s verified,” Kent stated in a press release offered to Darkish Studying. “My guess is the usernames and passwords have been sourced by another breach that pointed to the potential for the accounts having PayPal entry.”
Password Reuse the True Offender
Even the strongest, most advanced passwords cannot preserve information safe in the event that they’re reused throughout accounts. The PayPal accounts may need been protected on this case in the event that they’d had distinctive passwords, famous Erich Kron, safety consciousness advocate at KnowBe4.
“That is what permits credential-stuffing assaults to be so profitable,” Kron stated in a press release concerning the incident. “Unhealthy actors will take credentials scavenged from different information breaches and try to make use of them on different probably providers comparable to banks, on-line procuring websites, social media, and on this case, on-line cost websites.”
Whereas a password supervisor is not a “silver bullet,” Kron added, it is an necessary added layer of safety in opposition to credential-stuffing assaults like that on PayPal.
“Remembering all of those passwords may be practically unimaginable; nonetheless, by the usage of password managers which might generate and retailer fully distinctive passwords, this may be achieved and not using a vital quantity of effort,” Kron stated. “As well as, the applying of multi-factor authentication may be very useful in these instances of account takeovers.”